Case of the XP Service Pack 3 Upgrade Fail

Over the weekend the drummer in my band “The Brushed Keys” ( https://www.youtube.com/watch?v=WU-U7SBPF5Y&list=PLQA4w1oo2uGQGxKTzvzcJaPcNSj8SL8pp ) had finally taken the plunge and attempted the Windows XP Service Pack 3 upgrade, only about 6 years late.

However it all went wrong when the machine would no longer startup, going to a permanent black screen with mouse cursor after the XP  logo. This occurred in all the Safe modes, and also Last Known Good Configuration.

image

Using a Windows PE boot disk I had on hand, with diagnostic utilities, I first used an offline event viewer Event Log Explorer to check the last Windows events, opening the .evt files in c:\windows\system32\config  ( http://www.eventlogxp.com/ ) This tool is particularly useful in XP environments .EVT files cannot be opened by event viewer if copied off a machine, they must be exported first. Windows Vista and later EVTX files do not suffer this problem.

From the application log we could see WinLogon.exe was crashing, but there was no fault information i.e. exception code, faulting module, etc. In addition Dr Watson logs were not generated. Without a firewire/serial cable on hand I didn’t have much diagnostic info, so decided to just revert the XP Service Pack 3 upgrade.

On the C: drive I could see System Restore was enabled, but in Windows XP you cannot use System Restore until you actually boot into the system, (Or you have a specific boot disk to handle offline XP system restore, I hadn’t used in 5 years or more so no idea where that was)

To do this, I booted into Windows PE. (but you could use Windows XP recovery console) and did the following:

1) Made a backup of C:\Windows\System32\Config folder

2) Browsed C:\System Volume Information\_restore<GUID>\RPxxx (I chose the oldest one)\snapshot folder (Note these are Hidden System Folder)

3) Copied the following files to Config folder, and renamed them taking of the _REGISTRY_MACHINE_ prefix, replacing the existing files.

  • _REGISTRY_MACHINE_SAM
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_MACHINE_DEFAULT

4) This was probably not necessary but I also restored the user’s ntuser.dat (Also made a backup of it before replacing)

Copying

_REGISTRY_USER_USERCLASS_<SID> to C:\Documents and Settings\<User Profile>

You can see the SID by checking permissions on user profile within Windows PE, i.e. using icacls/etc.

5) Renamed C:\windows\$NTServicePackUninstall$\spuninst.txt to spuninst.cmd and ran the batch file. This deletes the Service Pack 3 files, and copies back the backed up files before the patch was applied

Unfortunately after restarting we got error

lssass.exe – System Error

When trying to update a password, this return status indicates that the value provided

as the current password is not correct.

image

After this error the computer immediately rebooted.

This issue was fixed by restoring the SAM and SECURITY files from my backup, back into C:\Windows\System32\Config (If you didn’t have a backup you could try your luck the backups in c:\windows\repair folder)

After this the machine boots fine, with all the users applications intact.

I made a 5 minute video of the process on my phone, it is here on YouTube

Uninstalling Windows XP SP3 on an Unbootable PC

https://www.youtube.com/watch?v=MTR50Z3Kh98

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Windows XP and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s